LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-15-2005, 02:15 PM   #1
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Rep: Reputation: 30
Still getting 'illegal' ssh messages


A n00b question: why do I still get in my logs ssh messages like "Illegal user <name> from XX.XX.XX.XX" while the hosts.deny specifies 'ALL:PARANOID' and the hosts.allow is empty?

I read the thread at the beginning of this forum regarding illegal ssh attempts, but how come they still get the chance to attempt a login? I must admit since I have these settings the attempts became more rare (2-3 once every 2-3 days) yet they bother me.
I also get messages of "refused connect from ..." so, shouldn't it be supposed to refuse ALL connections?
 
Old 02-15-2005, 03:31 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Re: Still getting 'illegal' ssh messages

A n00b question: why do I still get in my logs ssh messages like "Illegal user <name> from XX.XX.XX.XX" while the hosts.deny specifies 'ALL:PARANOID' and the hosts.allow is empty?
As far as I know, PARANOID just matches spoofed connections (requests whose hostname doesn't match IP). So all your hosts.deny is doing is dropping spoofed requests to any supported service. Keep in mind that this has nothing to do with the username that someone is trying to login with and whether it is valid or not.

I read the thread at the beginning of this forum regarding illegal ssh attempts, but how come they still get the chance to attempt a login?
See above. As long as they are making valid requests (hostname and IP match) they can try as many login attempts as they like.

Maybe if you explain what you would like to do, we could help you find a reasonable solution. Though blocking all incoming requests doesn't seem to make any sense. Why even run the ssh service then?
 
Old 02-16-2005, 02:51 AM   #3
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Original Poster
Rep: Reputation: 30
I'm keeping ssh running just in case I need to do a remote login myself (yet I don't think I'll ever need it, just in case).
Quote:
Keep in mind that this has nothing to do with the username that someone is trying to login with and whether it is valid or not.
So I should use the Deny/Allow Groups/Users in sshd_config to prevent anybody from succesful logins except me, right? Of course, if the attacker isn't so lucky (or smart) to guess my account name/password combination.
Quote:
Maybe if you explain what you would like to do, we could help you find a reasonable solution.
My computer's purpose is just an ordinary workstation, a home computer. I'm just trying to make it as safe as possible. I've had enough unpleasant surprises when I used to run Window$ such as viruses, spyware and malware.

Thanks in advance.

Last edited by harken; 02-16-2005 at 02:52 AM.
 
Old 02-16-2005, 05:00 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'm keeping ssh running just in case I need to do a remote login myself (yet I don't think I'll ever need it, just in case).
Ok, but that's the tradeoff. You're running a public service in order to give yourself convenient access from anywhere. But that means you don't really have any way of restricting login access. Unfortunately tcp_wrappers (hosts.allow/deny) can't really do much then. If you can limit access to only a few netblocks or IPs, then you'll significantly cut down on the number of these login attempts. For example I limit ssh access from my work IP block, and home ISP IP blocks and it helps alot. Unfortunately that means I can't login from anywhere.

So I should use the Deny/Allow Groups/Users in sshd_config to prevent anybody from succesful logins except me, right?
Definitely disallow remote root logins and any users on the system that don't need ssh access. However, this will still not prevent login attempts for other users (or non-existant users) on the system.

Of course, if the attacker isn't so lucky (or smart) to guess my account name/password combination.
If you use good passwords, then this is much harder to do than most people realize. The brutessh tool that does these automated logins takes advantage of people doing really stupid/lazy things like using user/passwd combos like root/root or test/test. If your passwords are sufficiently long (>8 characters), random non-dictionary strings with numbers and symbols, then trying to guess a password or even bruteforce a password is incredible difficult (virtually impossible) using ssh. So botttom line is that if your passwords are good, then you don't need to be incredible concerned with some 12 year old script kiddie trying to login with admin/admin. Now if someone is persistantly trying logins for hours/days on end, then you should probably blacklist them with iptables.

Of course you can always switch to key-based authentication and put your keys on a usb pen drive so that you can login from anywhere or even run ssh on an alternative port. Either one of those will eliminate these types of scans.
 
Old 02-16-2005, 08:45 PM   #5
scattered
LQ Newbie
 
Registered: Feb 2005
Location: Bendigo, Vic, Australia
Distribution: slackware
Posts: 12

Rep: Reputation: 0
Just checked, my firewall dropped 9 ssh attempts Feb 15 08:33:13 to
Feb 17 01:17:56. This is normal 'background radiation' of the Internet.

I block ssh access except from a trusted IP list. Consider blocking root
ssh access altogether. And as others suggest, you can change the port.

Most of the garbage coming in from 'net is directed at WinNT boxen, and
a few at unix users. Example:

deltree:~$ grep InpDrop /var/log/messages | grep -c "DPT=445 "
5703
deltree:~$ grep InpDrop /var/log/messages | grep -c "DPT=22 "
9
deltree:~$

Rather run windows?
 
Old 02-16-2005, 10:54 PM   #6
mastahnke
Member
 
Registered: Feb 2002
Location: IL
Distribution: Ubuntu currently, also Fedora, RHEL, CentOS
Posts: 111

Rep: Reputation: 15
I'll second the "use keys" notion. If you have cd, floppy or USb drive with some space, put your private key on that and disable password authenication, then you KNOW you can be the only one in. (keys are crackable, but extremely unlikely. better chance of being hit by lighting 3 times).

Using keys will not prevent connections attempts from outside sources.

Also, you could move your ssh server from port 22. Most of the "attack attempts" circulating the internet use port 22 and that's all. If you move to 2222 or anything else, I would bet your connection attempts would dramatically decrease.

MIKE
 
Old 02-17-2005, 02:42 AM   #7
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Original Poster
Rep: Reputation: 30
Thank you for your replies. Ok, I've decided to stop using sshd for now. I know you can do it with '/etc/init.d/sshd stop' but how to do it pemanently? I can't remember which file sets the daemons that will be started at boot up. Remember, I'm a n00b. BTW, this won't stop me from ssh'ing into other machines, right?

And one more question: searching the net I found many posts with similar topics. Most of them showed parts of logs where the messages said the attempts consisted of trying both an account name followed by a password. In my logs I see nothing related to incorrect or failed passwords. Only 'illegal users'. Why?
 
Old 02-17-2005, 06:22 AM   #8
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Original Poster
Rep: Reputation: 30
Ok, I've done some more reading meanwhile and it looks like /etc/inetd.conf is what I'm supposed to be after (please correct me if I'm wrong).
Yet the file contains (uncommented) entries only for:
ident stream tcp wait identd /usr/sbin/identd identd
cvspserver stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cvs-pserver
No ssh.

Some more reading and I find out that I need to edit a /etc/rc.d/inetd file. Don't have a rc.d directory. Then I see that I must rename files in /etc/rcN.d (N=0..6,S) so they don't begin with a 'S' in order to prevent their loading at startup.
Is this the right way?
 
Old 02-17-2005, 08:17 AM   #9
mastahnke
Member
 
Registered: Feb 2002
Location: IL
Distribution: Ubuntu currently, also Fedora, RHEL, CentOS
Posts: 111

Rep: Reputation: 15
most of the time, sshd does not run out of inetd; it runs as its own service. I am not 100% certain if debian has chkconfig, but if it does, try chkconfig sshd off. That will prevent it from starting at boot time. You will still be able to ssh to other machines.

Renaming the startup files in /etc/rc.* is a perfectly good way to prevent startup also.
 
Old 02-17-2005, 01:50 PM   #10
makuyl
Senior Member
 
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107

Rep: Reputation: 53
The debian way of stopping services like ssh from running at bootup is: update-rc.d -f ssh remove
You can put it back with: update-rc.d ssh defaults
 
Old 02-18-2005, 04:57 AM   #11
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Original Poster
Rep: Reputation: 30
Thanks. That's what I needed to know. A bit late though...I already renamed S(K)20ssh to s(k)20ssh where necessary. Good to know for the future anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh console broadcast messages time112852 Linux - Software 2 11-23-2005 02:45 PM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM
Sending messages over SSH jeucken Linux - Networking 1 12-15-2003 01:54 PM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 03:35 AM


All times are GMT -5. The time now is 11:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration